diff --git a/20-kube/06-postgres.yaml b/20-kube/06-postgres.yaml
new file mode 100644
--- /dev/null
+++ b/20-kube/06-postgres.yaml
@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pomerium-db-data
+  labels:
+    type: local
+spec:
+  storageClassName: manual
+  hostPath:
+    path: "/opt/pomerium-db"
+  capacity:
+    storage: 50Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    namespace: pomerium
+    name: pomerium-db-data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  namespace: pomerium
+  name: pomerium-db-data
+spec:
+  storageClassName: ""
+  volumeName: "pomerium-db-data"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: pomerium
+  name: pomerium-db
+spec:
+  replicas: 1
+  strategy: {type: Recreate}
+  selector:
+    matchLabels:
+      app: pomerium-db
+  template:
+    metadata:
+      labels:
+        app: pomerium-db
+      annotations:
+        prometheus.io/scrape: "false"
+    spec:
+      volumes:
+        - name: pomerium-db-data
+          persistentVolumeClaim:
+            claimName: pomerium-db-data
+      containers:
+        # see /my/serv/photoprism/deploy.yaml for exporter example (for mariadb)
+        - name: pomerium-db
+          image: postgres:14.2-alpine3.15
+          env:
+          - {name: POSTGRES_PASSWORD, value: admin}
+          - {name: POSTGRES_DB, value: pomerium}
+          ports:
+          - containerPort: 5432
+          volumeMounts:
+          - name: pomerium-db-data
+            mountPath:  /var/lib/postgresql/data
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: "kubernetes.io/hostname"
+                operator: In
+                values: ["ditto"]
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: pomerium
+  name: pomerium-db
+spec:
+  ports:
+  - port: 5432
+    targetPort: 5432
+  selector:
+    app: pomerium-db
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: pomerium
+  name: postgres-connection-key
+type: Opaque
+stringData: 
+  connection: postgresql://pom:pom@pomerium-db/pomerium
diff --git a/20-kube/10-pom-pom.yaml b/20-kube/10-pom-pom.yaml
--- a/20-kube/10-pom-pom.yaml
+++ b/20-kube/10-pom-pom.yaml
@@ -15,6 +15,9 @@ spec:
       # adds name+locale to user details
       - profile
     secret: pomerium/idp
+  storage:
+    postgres:
+      secret: pomerium/postgres-connection-key
 
   # Note pom won't start up if this cert doesn't exist, so you have to run once
   # with it commented out, then after cert success, run again with it enabled.
diff --git a/20-kube/skaffold.yaml b/20-kube/skaffold.yaml
--- a/20-kube/skaffold.yaml
+++ b/20-kube/skaffold.yaml
@@ -5,6 +5,7 @@ metadata:
 manifests:
   rawYaml:
     - 05-idp-secret.yaml
+    - 06-postgres.yaml
     - 10-pom-pom.yaml
     - 20-pom-deploy.yaml
     - 21-pom-svc.yaml